I am able to establish both IBGP and EBGP (with ebgp-multihop 2) behind NAT. It's just a TCP connection right, so it should work and did work me.
But as I configured the authentication, the BGP connection was teared down due to MD5 mis-match And it must be due to changing the source address by NAT as Waldemar mentioned. With regards Kings On Tue, Sep 15, 2009 at 8:09 PM, Basem Hanna <[email protected]>wrote: > > > You could try to add the norandomseq at the end of the static. > > > > Also you can add (I think you might have this already bgpmap?) > > tcp-map BGP > > tcp-options range 19 19 allow > > > > set connection advanced-options BGP > > > > > > But to be honest I have never been able to get BGP to work if it’s behind a > NAT. Actually, I believe I read somewhere that it doesn’t work if it’s > behind a NAT. > > > > > > -B > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, September 15, 2009 9:38 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] BGP across ASA with neigbor of NATTed > address > > > > Hi all > > > > For having BGP across ASA, I have tried the following solution: > > > > > > > > *Peer A* (10.20.30.40) -------------------------(10.20.30.43) inside > *ASA*outside (172.16.3.3) --------------------------------(172.16.3.2) > *Peer B* > > > > *Peer A* > > > > router bgp 2 > > neighbor 172.16.3.2 > > > > *ASA* > > > > static (inside,outside) 172.16.3.4 10.20.30.30.40 > > > > access-list bgp extended permit tcp any any eq bgp > access-list bgp extended permit tcp any eq bgp any > > > > class-map bgp > match access-list bgp > > > > policy-map global_policy > > class bgp > set connection random-sequence-number disable > set connection advanced-options bgpmap > > > > *Peer B* > > > > router bgp 2 > > neighbor 172.16.3.4 > > > > > > In the ASA, I am translating the source IP of the BGP packet. In BGP, the > IP address in the packet should match to the address configured in the > neighbor list. > > So in Peer the neigbor is NATTed address not the original IP address > > > > > > BGP connection is established but if authentication is configured the MD5 > signature fails with hash mis-match (may be due to translation of the IP > address) > > > > > > > > > > > > > > > > > > > > With regards > > Kings > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
